Malware Soup du Jour

Published: 2007-04-19
Last Updated: 2007-04-19 21:11:26 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
As an avid reader of this diary, you know of course that things are not always what they appear to be. As was the case with a user today, who after hitting a convoluted set of exploit files ended up where his browser tried to download files from us6-redhat520-com. No, this isn't RedHat Inc. And no, the HTMs coming from there are not HTMs but EXEs in disguise. In the meantime, the more nimble of the AV vendors even came up with names for the critter:  Backdoor.Generic.U (McAfee) and Troj_Agent.PUE (Trend).  The hoster of the site has been informed, the owner of the domain and site seems to be located in China.

In other cases, though, things sometimes are what they appear to be. While today investigating a malware sample coming from 81.29.241.231, I noticed that in the past month we had analyzed almost a dozen samples coming from the same 81.29.241.0/24 address range. Good enough an indication for me that putting this address range "off limits" for my systems is time well invested. The address range is located in Moscow, Russia, so unless your users are located there or do a lot of business with Moscow, chances are small that blocking the entire address range will have side effects.
Keywords:
0 comment(s)

Comments


Diary Archives